itlawwikiaorg-20200214-history
Malware
Definitions Malware (a concatenation of mal'icious soft'ware) (also known as computer malicious code (CMC), malicious code and malicious software) is Overview Malware includes parasites, Trojan horses, viruses, worms, backdoors, keystroke loggers, rootkits, phishing, spyware or other types of software, known as the payload. Malware can give attackers unauthorized access to a storage device, transfer information from a storage device to an attacker’s system, and perform other actions that jeopardize the confidentiality of the information on a storage device. Malware generally is grouped into two categories: "family" and "variant." "Family" refers to the distinct or original piece of software. "Variant" refers to a different version of the original malicious code, or family, with minor changes. Malware, in the form of botnets, has become a critical part of a self-sustaining, cyberattack system. Malware can gain remote access to an information system, record and send data from that system to a third party without the user's permission or knowledge, conceal that the information system has been compromised, disable security measures, damage the information system, or otherwise affect the data integritydata and system integrity. Malware often violates one or more of the following fundamental principles:U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs), at 23. :(a) Consent: Malware may be installed even though the user did not knowingly ask for that to happen. :(b) Honesty: Malware may pretend to do one thing, while actually doing something completely different. :© Privacy-Respectfulness: Malware may violate a user's privacy, perhaps capturing user passwords or credit card information. :(d) Non-Intrusiveness: Malware may annoy users by popping up advertisements, changing web browser's home page, making systems slow or unstable and prone to crash, or interfering with already installed-security software. :(e) Harmlessness: Malware may be software that hurts users (such as software that damages our system, sends spam emails, or disables security software). :(f) Respect for User Management: If the user attempts to remove the software, it may reinstall itself or otherwise override user preferences. How malware works Malware is able to compromise information systems due to a combination of factors that include insecure operating system design and related software vulnerabilities. Malware works by running or installing itself on an information system manually or automatically.Malware may also exploit vulnerabilities in hardware, however, this is rare compared to the number of software vulnerabilities which are available at any given time to exploit. Software may contain vulnerabilities, or "holes" in its fabric caused by faulty coding. Software may also be improperly configured, have functionality turned off, be used in a manner not compatible with suggested uses or improperly configured with other software. All of these are potential vulnerabilities and vectors for attack. Once these vulnerabilities are discovered, malware can be developed to exploit them for malicious purposes before the security community has developed a “fix”, known as a patch. Malware can also compromise information systems due to non-technological factors such as poor user practices and inadequate security policies and procedures. The use of malware has become more sophisticated and targeted. Many attacks are smaller and attempt to stay “below the radar” of the security and law enforcement communities. Malware often masquerades as useful programs or is embedded into useful programs so that users are induced into executing it. Over the last 20 years, malware has evolved from occasional “exploits” to a global multi-million dollar criminal industry. Categories of malware Malware is divided into the following major categories: * Virus ** Compiled virus ** Interpreted virus * Worm ** Network service worm **Mass mailing worm * Trojan horse * Malicious mobile code * Ransomware * Blended attack * Tracking cookie * Attacker tools ** Backdoor ** Keystroke logger ** Mirai ** Rootkit ** Web browser plug-in ** E-mail generator ** Attacker toolkit Malware activities "Malware is being used to conduct the following activities: * Capturing personal and business information by: ** capturing keystrokes ** collecting logins and passwords ** copying address books ** stealing sensitive corporate information, documentation, and/or trade secrets or even capturing sensitive government or military information ** collecting banking and transactional information * Facilitating devastating DDoS attacks for nation state purposes, political activism, or as a prelude to extortion, among many other purposes * Sending spam via email, SMS and other methods."Best Practices to Address Online and Mobile Threats, at 6. History The following brief history is derived from an NIST Report:NIST Special Publication 800-83, at 2-10. Malware prevention policies Organizations should ensure that their policies address prevention of malware incidents. These policy statements should be used as the basis for additional malware prevention efforts, such as user and IT staff awareness, vulnerability mitigation, and threat mitigation. If an organization does not state malware prevention considerations clearly in its policies, it is unlikely to perform malware prevention activities consistently and effectively throughout the organization. Malware prevention-related policy should be as general as possible to provide flexibility in policy implementation and reduce the need for frequent policy updates, but also specific enough to make the intent and scope of the policy clear. Although some organizations have separate malware policies, many malware prevention considerations belong in other policies, such as an acceptable use policy, so a separate malware policy might duplicate some of the content of other policies. Malware prevention-related policy should include provisions related to remote workers — both those using systems controlled by the organization and those using systems outside of the organization's control (e.g., contractor computers, employees' home computers, business partners' computers, mobile devices). Common malware prevention-related policy considerations include the following: * Requiring the scanning of media from outside of the organization for malware before they can be used; * Requiring that e-mail file attachments, including compressed files (e.g., .zip files), be saved to local disk drives or media and scanned before they are opened; * Forbidding the sending or receipt of certain types of files (e.g., .exe files) via e-mail and allowing certain additional file types to be blocked for a period of time in response to an impending malware threat; * Restricting or forbidding the use of unnecessary software, such as user applications that are often used to transfer malware (e.g., personal use of external instant messaging, desktop search engine, and peer-to-peer file sharing services), and services that are not needed or duplicate the organization-provided equivalents (e.g., e-mail) and might contain additional vulnerabilities that could be exploited by malware; * Restricting the use of administrator-level privileges by users, which helps to limit the privileges available to malware introduced to systems by users; * Requiring that systems be kept up-to-date with operating system and application upgrades and patches; * Restricting the use of removable media (e.g., floppy disks, compact discs (CD), Universal Serial Bus (USB) flash drives), particularly on systems that are at high risk of infection, such as publicly accessible kiosks; * Specifying which types of preventive software (e.g., antivirus software, Spyware detection and removal utility) are required for each type of system (e.g., file server, e-mail server, proxy server, workstation, personal digital assistant (PDA)) and application (e.g., e-mail client, Web browser), and listing the high-level requirements for configuring and maintaining the software (e.g., software update frequency, system scan scope and frequency); * Permitting access to other networks (including the Internet) only through organization-approved and secured mechanisms; * Requiring firewall configuration changes to be approved through a formal process; * Specifying which types of mobile code may be used from various sources (e.g., internal Web servers, other organizations' Web servers); and * Restricting the use of mobile devices on trusted networks. References See also * BlackHole * Cascade * Commodity malware * Cryptolocker * CryptoWall * Destructive malware * Drive-by malware * “Drive-by” ransomware * GameOver Zeus * Handling Destructive Malware * Heartbleed * Injection flaw * Malicious code * Malicious payload * Malware propagation vector * Melissa virus * Memory-scraping attack * Morris worm * Polymorphic malware * Ransomware * Rogue security software * Rogueware * Slammer worm * SQL injection vulnerability * Stration * Stuxnet * Watering hole attack * ZeroAccess Trojan External resources * Infoplease, "Computer Virus Timeline" (full-text). * Brian Krebs, "A Short History of Computer Viruses and Attacks," washingtonpost.com (Feb. 13, 2003) (full-text). Category:Software Category:Computer crime Category:Security Category:Definition Category:Spyware Category:malware